Nhost Authentication

Your app probably needs a way to authenticate users. That's easy with Nhost.

Nhost Authentication integrates tightly with other services in your Nhost project, such as Hasura and Storage.

You can log in users with:

  • Email / Password
  • Github
  • Google
  • Facebook
  • Linkedin

For easy integration with auth (and storage) in your app, use nhost-js-sdk.

#Tokens

Nhost Authentication uses JWT-tokens and refresh-tokens. A JWT token is used in a GraphQL API request to authenticate the user and to resolve Hasura permissions. A refresh tokens is used to request new JWT-token.

A JWT-token can not be revoked; they can only expire. Because of that, JWT tokens are short-lived (15 min). Before a JWT-token expires, the client should request a new JWT-token using the refresh token. A refresh token can be revoked and is long-lived (1 year). To revoke a refresh-token, remove the refresh-token from the database in the auth.refresh_tokens table.

You can configure the expiration time for both JWT-tokens and refresh-tokens in the Nhost console under Settings -> Authentication.

By default, each JWT-token includes the user's id and roles as claims. Here's an example:

{
  "https://hasura.io/jwt/claims": {
    "x-hasura-allowed-roles": ["user", "me"],
    "x-hasura-default-role": "user",
    "x-hasura-user-id": "c8ee8353-b886-4530-9089-631ea7fd4c8a"
  },
  "iat": 1595146465,
  "exp": 1595147365
}

You can add more claims to the JWT token using custom user columns.